Assessing the risks of private data

The following is part one of a two-part series that explores the risk of private data storage.

The volume of information that is created, stored and exchanged by networked devices each day is astronomical. It is projected that with an Internet that already has an estimated 50 billion “things” connected to it, the number of connections will increase to 13,311,666,640,184,600 by the year 2020, according to Cisco Systems. Each of those connections betrays tiny pieces of information about users. While alone those pieces are negligible, in aggregate they offer a window into the private lives of those on the other end.

With information on personal interest, buying patterns and even health readily available, it’s no wonder that businesses have interest in the collection and archiving of user data. But with increased interest comes increased responsibility. Citizens are paying close attention to where their private information is housed, and in a post-Edward Snowden world, they are increasingly skeptical that this is happening in a positive way.

For businesses, confusing and incomplete regulations coupled with threats from outsiders make the management of private customer data a challenging prospect. On top of that, private data on processes, intellectual property and employees that companies store internally makes information theft even more attractive to bad actors.

The chief privacy officer

While there is still some question on exactly where the responsibility of privacy oversight should fall, a host of disparate regulations and laws mean that increasingly, it falls to the law department, or at the very least, to a leader with legal expertise, according to Bill Hardin, Co- Chair of Navigant’s Global Data Privacy and Incident Response practice.

“You definitely need a point person that is going to provide the necessary focus as the rules and regulations are consistently changing. It is a coordinated effort to make sure all departments involved understand how privacy impacts the organization,” Hardin says. “The team needs to have outside firms involved as well as they can provide experiences, benchmarking, and other types of information that the CPO can present to the board and others within the organization. Lastly, legal should be driving the bus as you don’t know what you’re going to find.”

“Every company does it a little differently, including some places where CPO is not in the legal department,” adds Becky Burr, CPO of Neustar. But regardless of where the role is housed, “any company that handles consumer data, no matter how sensitive it is has to be aware of consumer privacy rules…and you have to have privacy law expertise to deal with that and make the necessary judgment calls, since there’s very little black letter law in this area.”

That leadership role is crucial, explains Todd Ruback, CPO of Evidon, “It starts with having a cultural attitude from the executive level on down through the organization around treating things properly,” he says. “Treating data entrusted to you with the level of respect that you would hope someone would give your data. From there it’s about putting in the policies that support that culture and then processes that support the policies.”

One thing is for certain: A strong leader who will take ownership of data security and privacy initiatives is essential to the success of the program, and arguably the company as a whole.

Ruback says, “At the end of the day it’s all about data, the companies that are innovating around data and looking at privacy as true value propositions and taking steps to build trust around privacy…those are the companies that are going to win.”

Regulatory risks

Perhaps the most vexing data security and privacy challenge for companies in the U.S. is the lack of overarching laws and guidelines that hold businesses accountable. While patchwork regulations exist, they vary wildly from state to state and are not policed by any single enforcement agency.

“There are a variety of specific regulations which impact data security and privacy such as Sarbanes Oxley or PCI, but what makes matters more challenging is the mass of provisions in law that also impact data protection, breach notification and security,” says James Lyne, global head of security research at Sophos.

California and other states have led the charge towards stricter privacy requirements. California’s civil code 1798, for example, calls privacy a fundamental human right and argues that the use of computers and other information-gathering options have increased the need to protect that right. It states, “In order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits.”

More complete regulations in the U.S. are not likely any time soon. Best practices like the recently released National Institute of Science Technologies (NIST) framework do exist, but are not enforced and are far from complete.

“The intent of the framework is really around cybersecurity and the risk of industrial espionage, terrorist attacks against our infrastructure, and things of that nature. That’s very different then data breaches caused by someone say losing a laptop at the airport,” says Ruback. “The flip side is that maybe for the first time there could be some objective standard for the industry to adhere to.”

For the foreseeable future, internal audit, private lawsuits and action from individual government agencies are the threats that make these regulations a minefield for corporations.

“We should continue to expect aggressive enforcement from the Federal Trade Commission. We are seeing a lot of state law development with respect to privacy, quite a bit in the last year that is going to continue absent any federal legislative effort. There’s a lot of discussion about federal privacy legislation, but no real agreement about a legislative approach,” says Burr.

Bad actors

In addition to the regulatory issues surrounding the management and storage of private information, additional vectors, including threat from hackers and malicious internal agents, continue to threaten the private information of customers and businesses.

“You’ve got outside and inside threats…they’re getting more creative, you evolve, they evolve. Opportunity is a driving factor for many threats. Hence, if someone is highly motivated to break into your organization and take information, you consistently have to monitor outside and inside threats. Lastly, the best technology in place will not mitigate the human factor as many employees at companies sometimes make choices that can cause incidents to occur,” Hardin says.

The 2013 Kroll Global Fraud Report revealed that 21 percent of companies are highly vulnerable to cyber threats, with 75 percent registering as moderately vulnerable. The Kroll forecast for 2014 anticipates these threats will continue, and also warns that with more money and information at stake, executives are likely to feel more pressure from internal audit when implementing strategies to combat security risks.

Everything from social engineering to the loss of a device—and even something as simple as neglecting to shred a memo—can result in the loss of personally identifiable information. When information including names, social security numbers and protected health information is compromised, it can facilitate identity theft or other fraudulent activity.

For the time being, the leaders reviewing the privacy strategies of their companies need to be ready for just about anything. Intentional data leaks from the inside, advanced threats from the outside and a proliferation of state and federal regulations make the space challenging for even the most formidable CPO.

In part two of this series in February, InsideCounsel will discuss the strategies and tactics that experts recommend to combat regulatory risks and information theft.